I told some people about this in an earlier WordCamp i think. I’m talking about a code that seems smart, allowing a script to auto-include all .php files from a plugin or theme’s folder.
Smart code
The goal of this kind of code is to auto-include all files from /inc/
for example, and without adding any line of code like include( MY_PATH . '/class-new-fiture.php' );
.
As you may know, a good developper is a lazy one. the less redondant, the less you’ll have to maintain it, the code is more clean and smart.
Well, but here the idea is bad, no really, it’s as good as it’s bad.
Here’s the code, it exists in many plugins and themes, i take this one ust because a client of me just been hacked because of it:
[pastacode lang=”php” message=”Code from Velvet Theme” highlight=”” provider=”manual”]
/**
* load all php files in one folder, if the folder contains files with different file extensions return the filenames as array
*
* @param string $folder path to the folder that should be loaded
* @return array $files files the folder contains that are no php files
*/
if(!function_exists(‘avia_backend_load_scripts_by_folder’))
{
function avia_backend_load_scripts_by_folder( $folder )
{
$files = array();
// Open a known directory, and proceed to read its contents
if ( is_dir( $folder ) )
{
if ( $dh = opendir( $folder ) )
{
while ( ( $file = readdir( $dh ) ) !== false)
{
if(‘.’ != $file && ‘..’ != $file)
{
$pathinfo = pathinfo($folder .”/”. $file);
if( isset($pathinfo[‘extension’]) && $pathinfo[‘extension’] == ‘php’ )
{
include_once( $folder .”/”. $file );
}
else
{
$files[] = $file;
}
}
}
closedir($dh);
}
}
return $files;
}
}
[/pastacode]
The code is clean, commented, indented, with some function_exists()
, some if
and some isset()
, perfect!
The author now just have to add some files in the correct folders, and Booya, nothing else to do!
The theme is using thi fonction like that:
[pastacode lang=”php” message=”Inclusion de scripts JS et styles CSS” highlight=”” provider=”manual”]
// …
avia_backend_load_scripts_by_folder( AVIA_PHP . ‘css’ );
// …
avia_backend_load_scripts_by_folder( AVIA_PHP . ‘js’ );
// …
[/pastacode]
All .js
and .css
files will be returned for a correct inclusion à la WordPress, and all the .php
files will be included with include_once()
.
This .php
files can be used for adding the filters hook to enqueue them.
The good idea
Great idea, isn’t it? Gain of time, less maintenance, good, push on prod.
But here, the author just helped the attakers to hack you website. How?
Imagine a vulnerability that allows an attacker to upload a malicioux .php
file in these folders. But these folders are protected with htaccess, a simple deny from all
is enought.
The hacker will be stuck, he just uploaded a file but can not reach it.
The flaw …
BUT, since the hacker uploaded the files in the /css/
or /js/
folder, the auto-include function from the theme will automatically include its malicious file. Cheers to the author (or not).
Or not.
The base idea was good, but you have take the good posture about security:
- Is my developpement can lead to an attack?
- Is my script can hurt a user’s website?
You have to think about it, you have to become your own hacker and hack you. If you can’t do this, ask for an audit from people who can, they can help you a lot. Do not take the risk to spread a product that can harm websites with a critical flaw.
The theme’s author has been warned, is you discoveer this kind of function that auto-include .php
files, do not hesitate to comment here, to alert the author giving him this link, we all have to win about this.